Exhibitor Press Releases

Subpage Hero

  

21 Nov 2021

Webinar Recap | ISO 27001 Certification Journeys

Privasec Stand: B23
Webinar Recap | ISO 27001 Certification Journeys

In this event recap, catch up on what the Privasec team has been up to in the recent “ISO 27001 Certification Journeys” joint webinar with Association of Information Security Professionals (AiSP).

To start off, let’s dive into the definitions of terms talked about in the webinar.

What is an ISMS?
Information Security Management System (ISMS) is a system that prescribes an organization's approach to information security.

What is ISO 27001?
ISO 27001 is an international standard that sets out the specification for an ISMS. It contains a set of best practices to allow organisations to implement a world class risk management system to strategise and coordinate their security investments whilst getting marketable recognition for it.

An ISO 27001 certification can provide assurance to clients and stakeholders, where it shows that the company is taking the risk-based approach for their system. It also gives confidence to clients that the product comes from a company that is secure and alert about the risks.

In this webinar, our panel of industry professionals shared and discussed their perspectives on the the topic of ISMS and ISO 27001 certification. 

The session started off with Leonard Ong, the Regional Information Security Officer of GE Healthcare, sharing the GE Healthcare ISO 27001 Certification Journey and unique ISMS challenges the company faced in the Healthcare/MedTech industry. 

Next, we had our own Regional Head, Lim Quan Heng, who shared about Privasec’s implementation approach for ISO 27001 Certification, using the Plan, Do, Check, Act Framework and also addressed six common misconceptions surrounding ISO27001 Certification. 

Afterwards, Wong Onn Chee, representing Rajah & Tann Cybersecurity and AiSP, then shared on the use of ISO 27001  as an over-arching security governance standard where its certifiability means that it is subjected to regular surveillance audits by Certifying Bodies. He expanded the discussion by sharing more detailed technical standards like CIS Controls v8.

Lastly we have Shirish Bapat from Lloyd’s Register Quality Assurance Limited, who shared about the assessment process for ISO 27001 certification from the perspective of a Certification Body. 

Lastly, the event is concluded with a meaningful, thought-provoking Q&A session that moderated by Joey Cheng, Regional Account Manager at Privasec . Check out the Q&A below. 

We hope you all enjoyed the event as much as we did! It has been very insightful session hearing from the speakers across various industries. Thank you to all our esteemed speakers and wonderful participants and we hope to see everyone again!

Questions & Answers (Q&A)​

Does ISO 27001 cover the Personal Data Protection Act 2010?

As the AISP SIG lead for Data and Privacy special interest groups, Wong Onn Chee addresses the question by highlighting the different Personal Data Protection Act (PDPA) editions.

The Personal Data Protection Act (PDPA) 2010 is used in Malaysia,  and Singapore uses the Personal Data Protection Act (PDPA) 2012.  Both Acts are pretty similar, other than the recent revision in February 2021 for Singapore’s Act. 

Firstly, ISO 27001 would form a pretty good demonstration of your organisation complying with the protection principles enshrined in the PDPA. However, in PDPA, principles like consent are not covered in ISO 27001, where there are no specific controls related to consent in ISO 27001. Also, in Singapore’s recent revision of PDPA, there are updates for Accountability, the Right to Access personal data, the Right to Update personal data, etc.

Secondly, PDPA has simple data protection requirements, with a few clauses drafted for it. However, depending on the industry and sector your organisation operates in, like Healthcare or Financial Services, there will be more detailed requirements for data protection.

At a high level, the ISO 27001 does demonstrate your organisation’s ability to meet the minimum threshold expected to protect personal data.

Shirish Bapat also shared his perspective about organisations wanting to know what acts they need to consider.

He mentioned that this depends on the organisation’s type of industry, country of operations, and the local context and regulations. The standards are just a framework, and do not define which legislation the organisation should follow.

The organisation needs to identify the applicability of the legal requirements. For example, the payment industry would need to comply with payment legislations like Payment Card Industry Data Security Standard (PCI DSS). All in all, the organisation would have to identify the context and the risk processes involved.

There are many legislations out there, where some are mandatory, and some are stipulated by the local regulations and government. Some can also be used as guidelines, where organisations can learn and take reference from to better your organisation’s systems.  

Wong Onn Chee also raised a discussion about the recent increase in Singapore’s data breach news. He highlighted the concern regarding the selection of third-party vendors where many of the data breaches are due to outsourced vendors.

In his experience of handling data breaches in Singapore, he stated, none of the vendors involved in the data breaches were ISO 27001 certified. Thus, he mentioned that while direct causation cannot be concluded, a correlation could be drawn from there.

And that he brought a point, highlighting the question of how do we select our vendors? And are we selecting vendors based on cost and quality but the expense of security?   

Lim Quan Heng also added on the discussion of third-party risk, many recent incidents of data breaches have been associated with external organisations that businesses rely on as part of their supply chain. The lack of third-party risk management is also commonly identified in a general assessment of an organisation.

From the legal point of view, the first layer of addressing this would be the right to audit your vendor. However, most organisations do not have terms in their contracts to do so, which would exclude the organisation’s ability to do due diligence on third parties. Also, many organisations lack the proper framework to manage third party due diligence.

In the recent revision of the Monetary Authority of Singapore Technological Risk Management (TRM) Guidelines, there is also more emphasis on Third-Party Risk. This should be part of any organisation’s arsenal, especially if the organisation deals with technology as the core element of the organisation.

Loading

Sponsors

Diamond Sponsor

  • Threatlocker

 

Platinum Sponsors

  • PacificTech
  • Sophos

Zero Trust VIP Lounge Sponsor

  • beyondtrust

 

Keynote Theatre Sponsor

  • Crowdstrike

 

Theatre Sponsor

  • Microsoft

 

Gold Sponsors

  • Fortinet
  • Barracuda
  • Cloudbric
  • Darktrace
  • Devo

Gold Sponsors

  • Halodata
  • i-sprint
  • Microsoft
  • Qualys
  • Keysight

Silver Sponsors

  • Blackberry
  • Comforte
  • CDNetworks
  • Hackuity
  • Hillstone
  • Horangi
  • logon

Silver Sponsors

  • Flexxon
  • Internet & Idee
  • Illumio
  • Intel741
  • Imperva
  • Thales
  • wiz

Silver Sponsors

  • Carbonite
  • CDNetworks
  • MyRepublic
  • Sangfor
  • Seculetter

Silver Sponsors

  • Ivanti
  • Panorays
  • Mimecast
  • PulseSecure
  • Radware
  • Privasec

 

Silver Sponsors

  • SonicWall
  • Tenable
  • Waterfall Security
  • XM Cyber

 

Silver Sponsors

  • Cysclae
  • Titanium

 

Bronze Sponsors

  • Scantist
  • Toffs Technologies
  • appView
  • Delinia
  • DT Asia
  • Firemon
  • Fortanix

Bronze Sponsors

  • Gatewatcher
  • Cloudnosys
  • Indeed ID
  • PowerDMARC
  • Utimaco
  • Wizlynx

 

Bronze Sponsors

  • Intigriti
  • Thomas Murray
  • Knit Technologies
  • Riskrecon
  • Securosys
  • Telescience
  • UCware

 

Bronze Sponsors

  • nexus
  • socly
  • techfindr
  • atakama

 

Bronze Sponsors

  • Endpoint Cososys
  • Prevalent
  • uSecure
  • Gigamon

 

Bronze Sponsors

  • Apricorn
  • Kanguru

 

Partners

Knowledge Partner

  • BICSI

News Distribution Partner

  • ACN Newswire

Associate Content Partner

  • Uptime Institute

Strategic SEO Partner

  • AdVantage

Strategic Event Partner

  • ISC2
  • Frost & Sullivan

Event Partners

  • AiSP
  • ARC Advisory
  • Asia Cloud Computing Association (ACCA)
  • Asosiasi Cloud Computing Indonesia
  • Fintech Association of Hong Kong
  • Accelerating Asia

Event Partners

  • Best Practice of eCommerce
  • BigDataX
  • CMO Council
  • ISACA
  • CSCIS
  • La French Tech
  • ASME

Event Partners

  • Practical DevSecOps
  • Digital Advertising Association Thailand (DAAT)
  • DevOps Institute
  • Forrester
  • Singapore Chamber of E-Commerce
  • Plug And Play
  • Co Creation Lab

Event Partners

  • IASA
  • IPI Singapore
  • itSMF
  • IFMA
  • European Data Centre Association
  • GS1

Event Partners

  • KinerjaBisa
  • Logistics & Supply Chain Management Society
  • Michael Page
  • NexChange
  • SG Tech
  • CHIME

Event Partners

  • Singapore Cyber Security Consortium (SGCSC)
  • Structure Research
  • General Assembly
  • Open Connectivity Foundation
  • Smart Asia India
  • Crest

Media Partners

  • ACN Newswire
  • APAC CIO
  • APSM
  • Asia Blockchain Review
  • Asia Research News

Media Partners

  • Australian Cybersecurity Magazine
  • Australian Security Magazine
  • BizClik Media
  • European Data Centre Association

Media Partners

  • Chief IT
  • CIO Advisor APAC
  • Cross Border Magazine
  • AI Time Journal

Media Partners

  • CryptoNewsZ
  • ComputerWeekly.com
  • Cyber Security ASEAN
  • Asia Content News
  • Enterprise Security Magazine

Media Partners

  • Data Storage ASEAN
  • e27
  • Fintech Finance
  • CMO Asia
  • GovTech SEA

Media Partners

  • Jumpstart Media
  • My Security Media
  • Retail CIO Outlook
  • Cybersec Asia
  • Frontier Enterprise – Jicara Media

Media Partners

  • Telecom Era
  • Supply Chain Digital
  • Techwire Asia
  • Gigabit
  • Digicon Asia

Media Partners

  • FutureIoT
  • Marketing Ops
  • Payment & Cards Network
  • Techtarget
  • FutureCIO

Official Partner Hotel

  • MBS

Media Partners

  • Wire 19
  • 计算机网络世界
  • Supply Chain Brain
  • Disruptive Tech Asean
  • FutureCFO

  • Hillstone